Skip to content
Snippets Groups Projects
Verified Commit e5840ba2 authored by Josef Schlehofer's avatar Josef Schlehofer
Browse files

patches/openwrt: zlib: update to version 1.2.12

parent c789bcab
No related branches found
No related tags found
1 merge request!547patches/openwrt: zlib: update to version 1.2.12
Pipeline #103001 passed
Stage: build
Hide whitespace changes
Inline Side-by-side
patches/openwrt/to-upstream/0046-zlib-update-to-version-1.2.12.patch 0 → 100644
+ 1568
0
View file @ e5840ba2
From 177f899e76222550e2257a03f905f3fce84b1a40 Mon Sep 17 00:00:00 2001
From: Josef Schlehofer <pepe.schlehofer@gmail.com>
Date: Mon, 8 Aug 2022 10:23:27 +0200
Subject: [PATCH] zlib: update to version 1.2.12
Fixes:
CVE-2018-25032
CVE-2022-37434
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
---
package/libs/zlib/Makefile | 11 +-
.../001-neon-implementation-of-adler32.patch | 27 +-
...m-specific-optimisations-for-inflate.patch | 502 ------------------
...m-specific-optimisations-for-inflate.patch | 501 +++++++++++++++++
...cefiles-in-patch-002-to-buildsystem.patch} | 0
...ch => 005-relative-pkg-config-paths.patch} | 0
.../zlib/patches/006-fix-CVE-2022-37434.patch | 32 ++
...x-compressor-crash-on-certain-inputs.patch | 343 ------------
...ll-dereference-in-fix-CVE-2022-37434.patch | 29 +
9 files changed, 578 insertions(+), 867 deletions(-)
create mode 100644 package/libs/zlib/patches/003-arm-specific-optimisations-for-inflate.patch
rename package/libs/zlib/patches/{003-attach-sourcefiles-in-patch-002-to-buildsystem.patch => 004-attach-sourcefiles-in-patch-002-to-buildsystem.patch} (100%)
rename package/libs/zlib/patches/{004-relative-pkg-config-paths.patch => 005-relative-pkg-config-paths.patch} (100%)
create mode 100644 package/libs/zlib/patches/006-fix-CVE-2022-37434.patch
delete mode 100644 package/libs/zlib/patches/006-fix-compressor-crash-on-certain-inputs.patch
create mode 100644 package/libs/zlib/patches/007-fix-null-dereference-in-fix-CVE-2022-37434.patch
diff --git a/package/libs/zlib/Makefile b/package/libs/zlib/Makefile
index 7321ec51c5..8512394ff4 100644
--- a/package/libs/zlib/Makefile
+++ b/package/libs/zlib/Makefile
@@ -8,12 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=zlib
-PKG_VERSION:=1.2.11
-PKG_RELEASE:=4
+PKG_VERSION:=1.2.12
+PKG_RELEASE:=$(AUTORELEASE)
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=@SF/libpng http://www.zlib.net
-PKG_HASH:=4ff941449631ace0d4d203e3483be9dbc9da454084111f97ea0a2114e19bf066
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/madler/zlib
+PKG_MIRROR_HASH:=a162fc219763635f0c1591ec515d4b08684e4b0bfb4b1c8e65e4eab18d597c27
+PKG_SOURCE_VERSION:=21767c654d31d2dccdde4330529775c6c5fd5389
PKG_LICENSE:=Zlib
PKG_LICENSE_FILES:=README
diff --git a/package/libs/zlib/patches/001-neon-implementation-of-adler32.patch b/package/libs/zlib/patches/001-neon-implementation-of-adler32.patch
index 843ef45c7d..c5517299d7 100644
--- a/package/libs/zlib/patches/001-neon-implementation-of-adler32.patch
+++ b/package/libs/zlib/patches/001-neon-implementation-of-adler32.patch
@@ -21,11 +21,9 @@ https://bugs.chromium.org/p/chromium/issues/detail?id=688601
4 files changed, 166 insertions(+), 8 deletions(-)
create mode 100644 contrib/arm/neon_adler32.c
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 0fe939df..8e75f664 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
-@@ -7,6 +7,7 @@ set(VERSION "1.2.11")
+@@ -7,6 +7,7 @@ set(VERSION "1.2.12")
option(ASM686 "Enable building i686 assembly implementation")
option(AMD64 "Enable building amd64 assembly implementation")
@@ -77,16 +75,16 @@ index 0fe939df..8e75f664 100644
set_target_properties(zlib PROPERTIES DEFINE_SYMBOL ZLIB_DLL)
set_target_properties(zlib PROPERTIES SOVERSION 1)
-diff --git a/adler32.c b/adler32.c
-index d0be4380..45ebaa4b 100644
--- a/adler32.c
+++ b/adler32.c
-@@ -136,7 +136,12 @@ uLong ZEXPORT adler32(adler, buf, len)
+@@ -136,7 +136,14 @@ uLong ZEXPORT adler32(adler, buf, len)
const Bytef *buf;
uInt len;
{
+#ifdef ARMv8
+# pragma message("Using NEON-ized Adler32.")
++unsigned long NEON_adler32(unsigned long adler, const unsigned char *buf,
++ const unsigned int len);
+ return NEON_adler32(adler, buf, len);
+#else
return adler32_z(adler, buf, len);
@@ -94,23 +92,18 @@ index d0be4380..45ebaa4b 100644
}
/* ========================================================================= */
-diff --git a/contrib/README.contrib b/contrib/README.contrib
-index a411d5c3..3fd1d202 100644
--- a/contrib/README.contrib
+++ b/contrib/README.contrib
-@@ -12,6 +12,9 @@ amd64/ by Mikhail Teterin <mi@ALDAN.algebra.com>
- asm code for AMD64
- See patch at http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/96393
+@@ -8,6 +8,9 @@ ada/ by Dmitriy Anisimkov <anisim
+ Support for Ada
+ See http://zlib-ada.sourceforge.net/
+arm/ by Adenilson Cavalcanti <cavalcantii@chromium.org>
+ ARM optimizations (NEON and ARMv8 code).
+
- asm686/ by Brian Raiter <breadbox@muppetlabs.com>
- asm code for Pentium and PPro/PII, using the AT&T (GNU as) syntax
- See http://www.muppetlabs.com/~breadbox/software/assembly.html
-diff --git a/contrib/arm/neon_adler32.c b/contrib/arm/neon_adler32.c
-new file mode 100644
-index 00000000..f173a74f
+ blast/ by Mark Adler <madler@alumni.caltech.edu>
+ Decompressor for output of PKWare Data Compression Library (DCL)
+
--- /dev/null
+++ b/contrib/arm/neon_adler32.c
@@ -0,0 +1,137 @@
diff --git a/package/libs/zlib/patches/002-arm-specific-optimisations-for-inflate.patch b/package/libs/zlib/patches/002-arm-specific-optimisations-for-inflate.patch
index 475ed6f3e9..d181b034e5 100644
--- a/package/libs/zlib/patches/002-arm-specific-optimisations-for-inflate.patch
+++ b/package/libs/zlib/patches/002-arm-specific-optimisations-for-inflate.patch
@@ -1907,505 +1907,3 @@ index 00000000..ac333e8c
+ state = (struct inflate_state FAR *)strm->state;
+ return (unsigned long)(state->next - state->codes);
+}
-
-From 247147654fe5cd11cf15d8dff91440405ea57040 Mon Sep 17 00:00:00 2001
-From: Simon Hosie <simon.hosie@arm.com>
-Date: Wed, 12 Apr 2017 15:44:21 -0700
-Subject: [PATCH 2/2] Inflate using wider loads and stores
-
-In inflate_fast() the output pointer always has plenty of room to write. This
-means that so long as the target is capable, wide un-aligned loads and stores
-can be used to transfer several bytes at once. When the reference distance is
-too short simply unroll the data a little to increase the distance.
-
-Change-Id: I59854eb25d2b1e43561c8a2afaf9175bf10cf674
----
- contrib/arm/chunkcopy.h | 279 ++++++++++++++++++++++++++++++++++++++++++++++++
- contrib/arm/inffast.c | 96 +++++++----------
- contrib/arm/inflate.c | 22 ++--
- 3 files changed, 335 insertions(+), 62 deletions(-)
- create mode 100644 contrib/arm/chunkcopy.h
-
-diff --git a/contrib/arm/chunkcopy.h b/contrib/arm/chunkcopy.h
-new file mode 100644
-index 00000000..2d6fd6f9
---- /dev/null
-+++ b/contrib/arm/chunkcopy.h
-@@ -0,0 +1,279 @@
-+/* chunkcopy.h -- fast copies and sets
-+ * Copyright (C) 2017 ARM, Inc.
-+ * For conditions of distribution and use, see copyright notice in zlib.h
-+ */
-+
-+#ifndef CHUNKCOPY_H
-+#define CHUNKCOPY_H
-+
-+#include "zutil.h"
-+#include <arm_neon.h>
-+
-+#if __STDC_VERSION__ >= 199901L
-+#define Z_RESTRICT restrict
-+#else
-+#define Z_RESTRICT
-+#endif
-+
-+typedef uint8x16_t chunkcopy_chunk_t;
-+#define CHUNKCOPY_CHUNK_SIZE sizeof(chunkcopy_chunk_t)
-+
-+/*
-+ Ask the compiler to perform a wide, unaligned load with an machine
-+ instruction appropriate for the chunkcopy_chunk_t type.
-+ */
-+static inline chunkcopy_chunk_t loadchunk(const unsigned char FAR *s) {
-+ chunkcopy_chunk_t c;
-+ __builtin_memcpy(&c, s, sizeof(c));
-+ return c;
-+}
-+
-+/*
-+ Ask the compiler to perform a wide, unaligned store with an machine
-+ instruction appropriate for the chunkcopy_chunk_t type.
-+ */
-+static inline void storechunk(unsigned char FAR *d, chunkcopy_chunk_t c) {
-+ __builtin_memcpy(d, &c, sizeof(c));
-+}
-+
-+/*
-+ Perform a memcpy-like operation, but assume that length is non-zero and that
-+ it's OK to overwrite at least CHUNKCOPY_CHUNK_SIZE bytes of output even if
-+ the length is shorter than this.
-+
-+ It also guarantees that it will properly unroll the data if the distance
-+ between `out` and `from` is at least CHUNKCOPY_CHUNK_SIZE, which we rely on
-+ in chunkcopy_relaxed().
-+
-+ Aside from better memory bus utilisation, this means that short copies
-+ (CHUNKCOPY_CHUNK_SIZE bytes or fewer) will fall straight through the loop
-+ without iteration, which will hopefully make the branch prediction more
-+ reliable.
-+ */
-+static inline unsigned char FAR *chunkcopy_core(unsigned char FAR *out,
-+ const unsigned char FAR *from,
-+ unsigned len) {
-+ int bump = (--len % CHUNKCOPY_CHUNK_SIZE) + 1;
-+ storechunk(out, loadchunk(from));
-+ out += bump;
-+ from += bump;
-+ len /= CHUNKCOPY_CHUNK_SIZE;
-+ while (len-- > 0) {
-+ storechunk(out, loadchunk(from));
-+ out += CHUNKCOPY_CHUNK_SIZE;
-+ from += CHUNKCOPY_CHUNK_SIZE;
-+ }
-+ return out;
-+}
-+
-+/*
-+ Like chunkcopy_core, but avoid writing beyond of legal output.
-+
-+ Accepts an additional pointer to the end of safe output. A generic safe
-+ copy would use (out + len), but it's normally the case that the end of the
-+ output buffer is beyond the end of the current copy, and this can still be
-+ exploited.
-+ */
-+static inline unsigned char FAR *chunkcopy_core_safe(unsigned char FAR *out,
-+ const unsigned char FAR * from,
-+ unsigned len,
-+ unsigned char FAR *limit) {
-+ Assert(out + len <= limit, "chunk copy exceeds safety limit");
-+ if (limit - out < CHUNKCOPY_CHUNK_SIZE) {
-+ const unsigned char FAR * Z_RESTRICT rfrom = from;
-+ if (len & 8) { __builtin_memcpy(out, rfrom, 8); out += 8; rfrom += 8; }
-+ if (len & 4) { __builtin_memcpy(out, rfrom, 4); out += 4; rfrom += 4; }
-+ if (len & 2) { __builtin_memcpy(out, rfrom, 2); out += 2; rfrom += 2; }
-+ if (len & 1) { *out++ = *rfrom++; }
-+ return out;
-+ }
-+ return chunkcopy_core(out, from, len);
-+}
-+
-+/*
-+ Perform short copies until distance can be rewritten as being at least
-+ CHUNKCOPY_CHUNK_SIZE.
-+
-+ This assumes that it's OK to overwrite at least the first
-+ 2*CHUNKCOPY_CHUNK_SIZE bytes of output even if the copy is shorter than
-+ this. This assumption holds within inflate_fast() which starts every
-+ iteration with at least 258 bytes of output space available (258 being the
-+ maximum length output from a single token; see inffast.c).
-+ */
-+static inline unsigned char FAR *chunkunroll_relaxed(unsigned char FAR *out,
-+ unsigned FAR *dist,
-+ unsigned FAR *len) {
-+ const unsigned char FAR *from = out - *dist;
-+ while (*dist < *len && *dist < CHUNKCOPY_CHUNK_SIZE) {
-+ storechunk(out, loadchunk(from));
-+ out += *dist;
-+ *len -= *dist;
-+ *dist += *dist;
-+ }
-+ return out;
-+}
-+
-+
-+static inline uint8x16_t chunkset_vld1q_dup_u8x8(const unsigned char FAR * Z_RESTRICT from) {
-+#if defined(__clang__) || defined(__aarch64__)
-+ return vreinterpretq_u8_u64(vld1q_dup_u64((void *)from));
-+#else
-+ /* 32-bit GCC uses an alignment hint for vld1q_dup_u64, even when given a
-+ * void pointer, so here's an alternate implementation.
-+ */
-+ uint8x8_t h = vld1_u8(from);
-+ return vcombine_u8(h, h);
-+#endif
-+}
-+
-+/*
-+ Perform an overlapping copy which behaves as a memset() operation, but
-+ supporting periods other than one, and assume that length is non-zero and
-+ that it's OK to overwrite at least CHUNKCOPY_CHUNK_SIZE*3 bytes of output
-+ even if the length is shorter than this.
-+ */
-+static inline unsigned char FAR *chunkset_core(unsigned char FAR *out,
-+ unsigned period,
-+ unsigned len) {
-+ uint8x16_t f;
-+ int bump = ((len - 1) % sizeof(f)) + 1;
-+
-+ switch (period) {
-+ case 1:
-+ f = vld1q_dup_u8(out - 1);
-+ vst1q_u8(out, f);
-+ out += bump;
-+ len -= bump;
-+ while (len > 0) {
-+ vst1q_u8(out, f);
-+ out += sizeof(f);
-+ len -= sizeof(f);
-+ }
-+ return out;
-+ case 2:
-+ f = vreinterpretq_u8_u16(vld1q_dup_u16((void *)(out - 2)));
-+ vst1q_u8(out, f);
-+ out += bump;
-+ len -= bump;
-+ if (len > 0) {
-+ f = vreinterpretq_u8_u16(vld1q_dup_u16((void *)(out - 2)));
-+ do {
-+ vst1q_u8(out, f);
-+ out += sizeof(f);
-+ len -= sizeof(f);
-+ } while (len > 0);
-+ }
-+ return out;
-+ case 4:
-+ f = vreinterpretq_u8_u32(vld1q_dup_u32((void *)(out - 4)));
-+ vst1q_u8(out, f);
-+ out += bump;
-+ len -= bump;
-+ if (len > 0) {
-+ f = vreinterpretq_u8_u32(vld1q_dup_u32((void *)(out - 4)));
-+ do {
-+ vst1q_u8(out, f);
-+ out += sizeof(f);
-+ len -= sizeof(f);
-+ } while (len > 0);
-+ }
-+ return out;
-+ case 8:
-+ f = chunkset_vld1q_dup_u8x8(out - 8);
-+ vst1q_u8(out, f);
-+ out += bump;
-+ len -= bump;
-+ if (len > 0) {
-+ f = chunkset_vld1q_dup_u8x8(out - 8);
-+ do {
-+ vst1q_u8(out, f);
-+ out += sizeof(f);
-+ len -= sizeof(f);
-+ } while (len > 0);
-+ }
-+ return out;
-+ }
-+ out = chunkunroll_relaxed(out, &period, &len);
-+ return chunkcopy_core(out, out - period, len);
-+}
-+
-+/*
-+ Perform a memcpy-like operation, but assume that length is non-zero and that
-+ it's OK to overwrite at least CHUNKCOPY_CHUNK_SIZE bytes of output even if
-+ the length is shorter than this.
-+
-+ Unlike chunkcopy_core() above, no guarantee is made regarding the behaviour
-+ of overlapping buffers, regardless of the distance between the pointers.
-+ This is reflected in the `restrict`-qualified pointers, allowing the
-+ compiler to reorder loads and stores.
-+ */
-+static inline unsigned char FAR *chunkcopy_relaxed(unsigned char FAR * Z_RESTRICT out,
-+ const unsigned char FAR * Z_RESTRICT from,
-+ unsigned len) {
-+ return chunkcopy_core(out, from, len);
-+}
-+
-+/*
-+ Like chunkcopy_relaxed, but avoid writing beyond of legal output.
-+
-+ Unlike chunkcopy_core_safe() above, no guarantee is made regarding the
-+ behaviour of overlapping buffers, regardless of the distance between the
-+ pointers. This is reflected in the `restrict`-qualified pointers, allowing
-+ the compiler to reorder loads and stores.
-+
-+ Accepts an additional pointer to the end of safe output. A generic safe
-+ copy would use (out + len), but it's normally the case that the end of the
-+ output buffer is beyond the end of the current copy, and this can still be
-+ exploited.
-+ */
-+static inline unsigned char FAR *chunkcopy_safe(unsigned char FAR *out,
-+ const unsigned char FAR * Z_RESTRICT from,
-+ unsigned len,
-+ unsigned char FAR *limit) {
-+ Assert(out + len <= limit, "chunk copy exceeds safety limit");
-+ return chunkcopy_core_safe(out, from, len, limit);
-+}
-+
-+/*
-+ Perform chunky copy within the same buffer, where the source and destination
-+ may potentially overlap.
-+
-+ Assumes that len > 0 on entry, and that it's safe to write at least
-+ CHUNKCOPY_CHUNK_SIZE*3 bytes to the output.
-+ */
-+static inline unsigned char FAR *chunkcopy_lapped_relaxed(unsigned char FAR *out,
-+ unsigned dist,
-+ unsigned len) {
-+ if (dist < len && dist < CHUNKCOPY_CHUNK_SIZE) {
-+ return chunkset_core(out, dist, len);
-+ }
-+ return chunkcopy_core(out, out - dist, len);
-+}
-+
-+/*
-+ Behave like chunkcopy_lapped_relaxed, but avoid writing beyond of legal output.
-+
-+ Accepts an additional pointer to the end of safe output. A generic safe
-+ copy would use (out + len), but it's normally the case that the end of the
-+ output buffer is beyond the end of the current copy, and this can still be
-+ exploited.
-+ */
-+static inline unsigned char FAR *chunkcopy_lapped_safe(unsigned char FAR *out,
-+ unsigned dist,
-+ unsigned len,
-+ unsigned char FAR *limit) {
-+ Assert(out + len <= limit, "chunk copy exceeds safety limit");
-+ if (limit - out < CHUNKCOPY_CHUNK_SIZE * 3) {
-+ /* TODO: try harder to optimise this */
-+ while (len-- > 0) {
-+ *out = *(out - dist);
-+ out++;
-+ }
-+ return out;
-+ }
-+ return chunkcopy_lapped_relaxed(out, dist, len);
-+}
-+
-+#undef Z_RESTRICT
-+
-+#endif /* CHUNKCOPY_H */
-diff --git a/contrib/arm/inffast.c b/contrib/arm/inffast.c
-index 0dbd1dbc..f7f50071 100644
---- a/contrib/arm/inffast.c
-+++ b/contrib/arm/inffast.c
-@@ -7,6 +7,7 @@
- #include "inftrees.h"
- #include "inflate.h"
- #include "inffast.h"
-+#include "chunkcopy.h"
-
- #ifdef ASMINF
- # pragma message("Assembler code may have bugs -- use at your own risk")
-@@ -57,6 +58,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
- unsigned char FAR *out; /* local strm->next_out */
- unsigned char FAR *beg; /* inflate()'s initial strm->next_out */
- unsigned char FAR *end; /* while out < end, enough space available */
-+ unsigned char FAR *limit; /* safety limit for chunky copies */
- #ifdef INFLATE_STRICT
- unsigned dmax; /* maximum distance from zlib header */
- #endif
-@@ -84,12 +86,13 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
- out = strm->next_out;
- beg = out - (start - strm->avail_out);
- end = out + (strm->avail_out - 257);
-+ limit = out + strm->avail_out;
- #ifdef INFLATE_STRICT
- dmax = state->dmax;
- #endif
- wsize = state->wsize;
- whave = state->whave;
-- wnext = state->wnext;
-+ wnext = (state->wnext == 0 && whave >= wsize) ? wsize : state->wnext;
- window = state->window;
- hold = state->hold;
- bits = state->bits;
-@@ -197,70 +200,51 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
- #endif
- }
- from = window;
-- if (wnext == 0) { /* very common case */
-- from += wsize - op;
-- if (op < len) { /* some from window */
-- len -= op;
-- do {
-- *out++ = *from++;
-- } while (--op);
-- from = out - dist; /* rest from output */
-- }
-+ if (wnext >= op) { /* contiguous in window */
-+ from += wnext - op;
- }
-- else if (wnext < op) { /* wrap around window */
-- from += wsize + wnext - op;
-+ else { /* wrap around window */
- op -= wnext;
-+ from += wsize - op;
- if (op < len) { /* some from end of window */
- len -= op;
-- do {
-- *out++ = *from++;
-- } while (--op);
-- from = window;
-- if (wnext < len) { /* some from start of window */
-- op = wnext;
-- len -= op;
-- do {
-- *out++ = *from++;
-- } while (--op);
-- from = out - dist; /* rest from output */
-- }
-+ out = chunkcopy_safe(out, from, op, limit);
-+ from = window; /* more from start of window */
-+ op = wnext;
-+ /* This (rare) case can create a situation where
-+ the first chunkcopy below must be checked.
-+ */
- }
- }
-- else { /* contiguous in window */
-- from += wnext - op;
-- if (op < len) { /* some from window */
-- len -= op;
-- do {
-- *out++ = *from++;
-- } while (--op);
-- from = out - dist; /* rest from output */
-- }
-- }
-- while (len > 2) {
-- *out++ = *from++;
-- *out++ = *from++;
-- *out++ = *from++;
-- len -= 3;
-- }
-- if (len) {
-- *out++ = *from++;
-- if (len > 1)
-- *out++ = *from++;
-+ if (op < len) { /* still need some from output */
-+ out = chunkcopy_safe(out, from, op, limit);
-+ len -= op;
-+ /* When dist is small the amount of data that can be
-+ copied from the window is also small, and progress
-+ towards the dangerous end of the output buffer is
-+ also small. This means that for trivial memsets and
-+ for chunkunroll_relaxed() a safety check is
-+ unnecessary. However, these conditions may not be
-+ entered at all, and in that case it's possible that
-+ the main copy is near the end.
-+ */
-+ out = chunkunroll_relaxed(out, &dist, &len);
-+ out = chunkcopy_safe(out, out - dist, len, limit);
-+ } else {
-+ /* from points to window, so there is no risk of
-+ overlapping pointers requiring memset-like behaviour
-+ */
-+ out = chunkcopy_safe(out, from, len, limit);
- }
- }
- else {
-- from = out - dist; /* copy direct from output */
-- do { /* minimum length is three */
-- *out++ = *from++;
-- *out++ = *from++;
-- *out++ = *from++;
-- len -= 3;
-- } while (len > 2);
-- if (len) {
-- *out++ = *from++;
-- if (len > 1)
-- *out++ = *from++;
-- }
-+ /* Whole reference is in range of current output. No
-+ range checks are necessary because we start with room
-+ for at least 258 bytes of output, so unroll and roundoff
-+ operations can write beyond `out+len` so long as they
-+ stay within 258 bytes of `out`.
-+ */
-+ out = chunkcopy_lapped_relaxed(out, dist, len);
- }
- }
- else if ((op & 64) == 0) { /* 2nd level distance code */
-diff --git a/contrib/arm/inflate.c b/contrib/arm/inflate.c
-index ac333e8c..e40322c3 100644
---- a/contrib/arm/inflate.c
-+++ b/contrib/arm/inflate.c
-@@ -84,6 +84,7 @@
- #include "inftrees.h"
- #include "inflate.h"
- #include "inffast.h"
-+#include "contrib/arm/chunkcopy.h"
-
- #ifdef MAKEFIXED
- # ifndef BUILDFIXED
-@@ -405,10 +406,20 @@ unsigned copy;
-
- /* if it hasn't been done already, allocate space for the window */
- if (state->window == Z_NULL) {
-+ unsigned wsize = 1U << state->wbits;
- state->window = (unsigned char FAR *)
-- ZALLOC(strm, 1U << state->wbits,
-+ ZALLOC(strm, wsize + CHUNKCOPY_CHUNK_SIZE,
- sizeof(unsigned char));
- if (state->window == Z_NULL) return 1;
-+#ifdef INFLATE_CLEAR_UNUSED_UNDEFINED
-+ /* Copies from the overflow portion of this buffer are undefined and
-+ may cause analysis tools to raise a warning if we don't initialize
-+ it. However, this undefined data overwrites other undefined data
-+ and is subsequently either overwritten or left deliberately
-+ undefined at the end of decode; so there's really no point.
-+ */
-+ memset(state->window + wsize, 0, CHUNKCOPY_CHUNK_SIZE);
-+#endif
- }
-
- /* if window not in use yet, initialize */
-@@ -1175,17 +1186,16 @@ int flush;
- else
- from = state->window + (state->wnext - copy);
- if (copy > state->length) copy = state->length;
-+ if (copy > left) copy = left;
-+ put = chunkcopy_safe(put, from, copy, put + left);
- }
- else { /* copy from output */
-- from = put - state->offset;
- copy = state->length;
-+ if (copy > left) copy = left;
-+ put = chunkcopy_lapped_safe(put, state->offset, copy, put + left);
- }
-- if (copy > left) copy = left;
- left -= copy;
- state->length -= copy;
-- do {
-- *put++ = *from++;
-- } while (--copy);
- if (state->length == 0) state->mode = LEN;
- break;
- case LIT:
diff --git a/package/libs/zlib/patches/003-arm-specific-optimisations-for-inflate.patch b/package/libs/zlib/patches/003-arm-specific-optimisations-for-inflate.patch
new file mode 100644
index 0000000000..9370264c40
--- /dev/null
+++ b/package/libs/zlib/patches/003-arm-specific-optimisations-for-inflate.patch
@@ -0,0 +1,501 @@
+From 247147654fe5cd11cf15d8dff91440405ea57040 Mon Sep 17 00:00:00 2001
+From: Simon Hosie <simon.hosie@arm.com>
+Date: Wed, 12 Apr 2017 15:44:21 -0700
+Subject: [PATCH 2/2] Inflate using wider loads and stores
+
+In inflate_fast() the output pointer always has plenty of room to write. This
+means that so long as the target is capable, wide un-aligned loads and stores
+can be used to transfer several bytes at once. When the reference distance is
+too short simply unroll the data a little to increase the distance.
+
+Change-Id: I59854eb25d2b1e43561c8a2afaf9175bf10cf674
+---
+ contrib/arm/chunkcopy.h | 279 ++++++++++++++++++++++++++++++++++++++++++++++++
+ contrib/arm/inffast.c | 96 +++++++----------
+ contrib/arm/inflate.c | 22 ++--
+ 3 files changed, 335 insertions(+), 62 deletions(-)
+ create mode 100644 contrib/arm/chunkcopy.h
+
+diff --git a/contrib/arm/chunkcopy.h b/contrib/arm/chunkcopy.h
+new file mode 100644
+index 00000000..2d6fd6f9
+--- /dev/null
++++ b/contrib/arm/chunkcopy.h
+@@ -0,0 +1,279 @@
++/* chunkcopy.h -- fast copies and sets
++ * Copyright (C) 2017 ARM, Inc.
++ * For conditions of distribution and use, see copyright notice in zlib.h
++ */
++
++#ifndef CHUNKCOPY_H
++#define CHUNKCOPY_H
++
++#include "zutil.h"
++#include <arm_neon.h>
++
++#if __STDC_VERSION__ >= 199901L
++#define Z_RESTRICT restrict
++#else
++#define Z_RESTRICT
++#endif
++
++typedef uint8x16_t chunkcopy_chunk_t;
++#define CHUNKCOPY_CHUNK_SIZE sizeof(chunkcopy_chunk_t)
++
++/*
++ Ask the compiler to perform a wide, unaligned load with an machine
++ instruction appropriate for the chunkcopy_chunk_t type.
++ */
++static inline chunkcopy_chunk_t loadchunk(const unsigned char FAR *s) {
++ chunkcopy_chunk_t c;
++ __builtin_memcpy(&c, s, sizeof(c));
++ return c;
++}
++
++/*
++ Ask the compiler to perform a wide, unaligned store with an machine
++ instruction appropriate for the chunkcopy_chunk_t type.
++ */
++static inline void storechunk(unsigned char FAR *d, chunkcopy_chunk_t c) {
++ __builtin_memcpy(d, &c, sizeof(c));
++}
++
++/*
++ Perform a memcpy-like operation, but assume that length is non-zero and that
++ it's OK to overwrite at least CHUNKCOPY_CHUNK_SIZE bytes of output even if
++ the length is shorter than this.
++
++ It also guarantees that it will properly unroll the data if the distance
++ between `out` and `from` is at least CHUNKCOPY_CHUNK_SIZE, which we rely on
++ in chunkcopy_relaxed().
++
++ Aside from better memory bus utilisation, this means that short copies
++ (CHUNKCOPY_CHUNK_SIZE bytes or fewer) will fall straight through the loop
++ without iteration, which will hopefully make the branch prediction more
++ reliable.
++ */
++static inline unsigned char FAR *chunkcopy_core(unsigned char FAR *out,
++ const unsigned char FAR *from,
++ unsigned len) {
++ int bump = (--len % CHUNKCOPY_CHUNK_SIZE) + 1;
++ storechunk(out, loadchunk(from));
++ out += bump;
++ from += bump;
++ len /= CHUNKCOPY_CHUNK_SIZE;
++ while (len-- > 0) {
++ storechunk(out, loadchunk(from));
++ out += CHUNKCOPY_CHUNK_SIZE;
++ from += CHUNKCOPY_CHUNK_SIZE;
++ }
++ return out;
++}
++
++/*
++ Like chunkcopy_core, but avoid writing beyond of legal output.
++
++ Accepts an additional pointer to the end of safe output. A generic safe
++ copy would use (out + len), but it's normally the case that the end of the
++ output buffer is beyond the end of the current copy, and this can still be
++ exploited.
++ */
++static inline unsigned char FAR *chunkcopy_core_safe(unsigned char FAR *out,
++ const unsigned char FAR * from,
++ unsigned len,
++ unsigned char FAR *limit) {
++ Assert(out + len <= limit, "chunk copy exceeds safety limit");
++ if (limit - out < CHUNKCOPY_CHUNK_SIZE) {
++ const unsigned char FAR * Z_RESTRICT rfrom = from;
++ if (len & 8) { __builtin_memcpy(out, rfrom, 8); out += 8; rfrom += 8; }
++ if (len & 4) { __builtin_memcpy(out, rfrom, 4); out += 4; rfrom += 4; }
++ if (len & 2) { __builtin_memcpy(out, rfrom, 2); out += 2; rfrom += 2; }
++ if (len & 1) { *out++ = *rfrom++; }
++ return out;
++ }
++ return chunkcopy_core(out, from, len);
++}
++
++/*
++ Perform short copies until distance can be rewritten as being at least
++ CHUNKCOPY_CHUNK_SIZE.
++
++ This assumes that it's OK to overwrite at least the first
++ 2*CHUNKCOPY_CHUNK_SIZE bytes of output even if the copy is shorter than
++ this. This assumption holds within inflate_fast() which starts every
++ iteration with at least 258 bytes of output space available (258 being the
++ maximum length output from a single token; see inffast.c).
++ */
++static inline unsigned char FAR *chunkunroll_relaxed(unsigned char FAR *out,
++ unsigned FAR *dist,
++ unsigned FAR *len) {
++ const unsigned char FAR *from = out - *dist;
++ while (*dist < *len && *dist < CHUNKCOPY_CHUNK_SIZE) {
++ storechunk(out, loadchunk(from));
++ out += *dist;
++ *len -= *dist;
++ *dist += *dist;
++ }
++ return out;
++}
++
++
++static inline uint8x16_t chunkset_vld1q_dup_u8x8(const unsigned char FAR * Z_RESTRICT from) {
++#if defined(__clang__) || defined(__aarch64__)
++ return vreinterpretq_u8_u64(vld1q_dup_u64((void *)from));
++#else
++ /* 32-bit GCC uses an alignment hint for vld1q_dup_u64, even when given a
++ * void pointer, so here's an alternate implementation.
++ */
++ uint8x8_t h = vld1_u8(from);
++ return vcombine_u8(h, h);
++#endif
++}
++
++/*
++ Perform an overlapping copy which behaves as a memset() operation, but
++ supporting periods other than one, and assume that length is non-zero and
++ that it's OK to overwrite at least CHUNKCOPY_CHUNK_SIZE*3 bytes of output
++ even if the length is shorter than this.
++ */
++static inline unsigned char FAR *chunkset_core(unsigned char FAR *out,
++ unsigned period,
++ unsigned len) {
++ uint8x16_t f;
++ int bump = ((len - 1) % sizeof(f)) + 1;
++
++ switch (period) {
++ case 1:
++ f = vld1q_dup_u8(out - 1);
++ vst1q_u8(out, f);
++ out += bump;
++ len -= bump;
++ while (len > 0) {
++ vst1q_u8(out, f);
++ out += sizeof(f);
++ len -= sizeof(f);
++ }
++ return out;
++ case 2:
++ f = vreinterpretq_u8_u16(vld1q_dup_u16((void *)(out - 2)));
++ vst1q_u8(out, f);
++ out += bump;
++ len -= bump;
++ if (len > 0) {
++ f = vreinterpretq_u8_u16(vld1q_dup_u16((void *)(out - 2)));
++ do {
++ vst1q_u8(out, f);
++ out += sizeof(f);
++ len -= sizeof(f);
++ } while (len > 0);
++ }
++ return out;
++ case 4:
++ f = vreinterpretq_u8_u32(vld1q_dup_u32((void *)(out - 4)));
++ vst1q_u8(out, f);
++ out += bump;
++ len -= bump;
++ if (len > 0) {
++ f = vreinterpretq_u8_u32(vld1q_dup_u32((void *)(out - 4)));
++ do {
++ vst1q_u8(out, f);
++ out += sizeof(f);
++ len -= sizeof(f);
++ } while (len > 0);
++ }
++ return out;
++ case 8:
++ f = chunkset_vld1q_dup_u8x8(out - 8);
++ vst1q_u8(out, f);
++ out += bump;
++ len -= bump;
++ if (len > 0) {
++ f = chunkset_vld1q_dup_u8x8(out - 8);
++ do {
++ vst1q_u8(out, f);
++ out += sizeof(f);
++ len -= sizeof(f);
++ } while (len > 0);
++ }
++ return out;
++ }
++ out = chunkunroll_relaxed(out, &period, &len);
++ return chunkcopy_core(out, out - period, len);
++}
++
++/*
++ Perform a memcpy-like operation, but assume that length is non-zero and that
++ it's OK to overwrite at least CHUNKCOPY_CHUNK_SIZE bytes of output even if
++ the length is shorter than this.
++
++ Unlike chunkcopy_core() above, no guarantee is made regarding the behaviour
++ of overlapping buffers, regardless of the distance between the pointers.
++ This is reflected in the `restrict`-qualified pointers, allowing the
++ compiler to reorder loads and stores.
++ */
++static inline unsigned char FAR *chunkcopy_relaxed(unsigned char FAR * Z_RESTRICT out,
++ const unsigned char FAR * Z_RESTRICT from,
++ unsigned len) {
++ return chunkcopy_core(out, from, len);
++}
++
++/*
++ Like chunkcopy_relaxed, but avoid writing beyond of legal output.
++
++ Unlike chunkcopy_core_safe() above, no guarantee is made regarding the
++ behaviour of overlapping buffers, regardless of the distance between the
++ pointers. This is reflected in the `restrict`-qualified pointers, allowing
++ the compiler to reorder loads and stores.
++
++ Accepts an additional pointer to the end of safe output. A generic safe
++ copy would use (out + len), but it's normally the case that the end of the
++ output buffer is beyond the end of the current copy, and this can still be
++ exploited.
++ */
++static inline unsigned char FAR *chunkcopy_safe(unsigned char FAR *out,
++ const unsigned char FAR * Z_RESTRICT from,
++ unsigned len,
++ unsigned char FAR *limit) {
++ Assert(out + len <= limit, "chunk copy exceeds safety limit");
++ return chunkcopy_core_safe(out, from, len, limit);
++}
++
++/*
++ Perform chunky copy within the same buffer, where the source and destination
++ may potentially overlap.
++
++ Assumes that len > 0 on entry, and that it's safe to write at least
++ CHUNKCOPY_CHUNK_SIZE*3 bytes to the output.
++ */
++static inline unsigned char FAR *chunkcopy_lapped_relaxed(unsigned char FAR *out,
++ unsigned dist,
++ unsigned len) {
++ if (dist < len && dist < CHUNKCOPY_CHUNK_SIZE) {
++ return chunkset_core(out, dist, len);
++ }
++ return chunkcopy_core(out, out - dist, len);
++}
++
++/*
++ Behave like chunkcopy_lapped_relaxed, but avoid writing beyond of legal output.
++
++ Accepts an additional pointer to the end of safe output. A generic safe
++ copy would use (out + len), but it's normally the case that the end of the
++ output buffer is beyond the end of the current copy, and this can still be
++ exploited.
++ */
++static inline unsigned char FAR *chunkcopy_lapped_safe(unsigned char FAR *out,
++ unsigned dist,
++ unsigned len,
++ unsigned char FAR *limit) {
++ Assert(out + len <= limit, "chunk copy exceeds safety limit");
++ if (limit - out < CHUNKCOPY_CHUNK_SIZE * 3) {
++ /* TODO: try harder to optimise this */
++ while (len-- > 0) {
++ *out = *(out - dist);
++ out++;
++ }
++ return out;
++ }
++ return chunkcopy_lapped_relaxed(out, dist, len);
++}
++
++#undef Z_RESTRICT
++
++#endif /* CHUNKCOPY_H */
+diff --git a/contrib/arm/inffast.c b/contrib/arm/inffast.c
+index 0dbd1dbc..f7f50071 100644
+--- a/contrib/arm/inffast.c
++++ b/contrib/arm/inffast.c
+@@ -7,6 +7,7 @@
+ #include "inftrees.h"
+ #include "inflate.h"
+ #include "inffast.h"
++#include "chunkcopy.h"
+
+ #ifdef ASMINF
+ # pragma message("Assembler code may have bugs -- use at your own risk")
+@@ -57,6 +58,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ unsigned char FAR *out; /* local strm->next_out */
+ unsigned char FAR *beg; /* inflate()'s initial strm->next_out */
+ unsigned char FAR *end; /* while out < end, enough space available */
++ unsigned char FAR *limit; /* safety limit for chunky copies */
+ #ifdef INFLATE_STRICT
+ unsigned dmax; /* maximum distance from zlib header */
+ #endif
+@@ -84,12 +86,13 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ out = strm->next_out;
+ beg = out - (start - strm->avail_out);
+ end = out + (strm->avail_out - 257);
++ limit = out + strm->avail_out;
+ #ifdef INFLATE_STRICT
+ dmax = state->dmax;
+ #endif
+ wsize = state->wsize;
+ whave = state->whave;
+- wnext = state->wnext;
++ wnext = (state->wnext == 0 && whave >= wsize) ? wsize : state->wnext;
+ window = state->window;
+ hold = state->hold;
+ bits = state->bits;
+@@ -197,70 +200,51 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ #endif
+ }
+ from = window;
+- if (wnext == 0) { /* very common case */
+- from += wsize - op;
+- if (op < len) { /* some from window */
+- len -= op;
+- do {
+- *out++ = *from++;
+- } while (--op);
+- from = out - dist; /* rest from output */
+- }
++ if (wnext >= op) { /* contiguous in window */
++ from += wnext - op;
+ }
+- else if (wnext < op) { /* wrap around window */
+- from += wsize + wnext - op;
++ else { /* wrap around window */
+ op -= wnext;
++ from += wsize - op;
+ if (op < len) { /* some from end of window */
+ len -= op;
+- do {
+- *out++ = *from++;
+- } while (--op);
+- from = window;
+- if (wnext < len) { /* some from start of window */
+- op = wnext;
+- len -= op;
+- do {
+- *out++ = *from++;
+- } while (--op);
+- from = out - dist; /* rest from output */
+- }
++ out = chunkcopy_safe(out, from, op, limit);
++ from = window; /* more from start of window */
++ op = wnext;
++ /* This (rare) case can create a situation where
++ the first chunkcopy below must be checked.
++ */
+ }
+ }
+- else { /* contiguous in window */
+- from += wnext - op;
+- if (op < len) { /* some from window */
+- len -= op;
+- do {
+- *out++ = *from++;
+- } while (--op);
+- from = out - dist; /* rest from output */
+- }
+- }
+- while (len > 2) {
+- *out++ = *from++;
+- *out++ = *from++;
+- *out++ = *from++;
+- len -= 3;
+- }
+- if (len) {
+- *out++ = *from++;
+- if (len > 1)
+- *out++ = *from++;
++ if (op < len) { /* still need some from output */
++ out = chunkcopy_safe(out, from, op, limit);
++ len -= op;
++ /* When dist is small the amount of data that can be
++ copied from the window is also small, and progress
++ towards the dangerous end of the output buffer is
++ also small. This means that for trivial memsets and
++ for chunkunroll_relaxed() a safety check is
++ unnecessary. However, these conditions may not be
++ entered at all, and in that case it's possible that
++ the main copy is near the end.
++ */
++ out = chunkunroll_relaxed(out, &dist, &len);
++ out = chunkcopy_safe(out, out - dist, len, limit);
++ } else {
++ /* from points to window, so there is no risk of
++ overlapping pointers requiring memset-like behaviour
++ */
++ out = chunkcopy_safe(out, from, len, limit);
+ }
+ }
+ else {
+- from = out - dist; /* copy direct from output */
+- do { /* minimum length is three */
+- *out++ = *from++;
+- *out++ = *from++;
+- *out++ = *from++;
+- len -= 3;
+- } while (len > 2);
+- if (len) {
+- *out++ = *from++;
+- if (len > 1)
+- *out++ = *from++;
+- }
++ /* Whole reference is in range of current output. No
++ range checks are necessary because we start with room
++ for at least 258 bytes of output, so unroll and roundoff
++ operations can write beyond `out+len` so long as they
++ stay within 258 bytes of `out`.
++ */
++ out = chunkcopy_lapped_relaxed(out, dist, len);
+ }
+ }
+ else if ((op & 64) == 0) { /* 2nd level distance code */
+diff --git a/contrib/arm/inflate.c b/contrib/arm/inflate.c
+index ac333e8c..e40322c3 100644
+--- a/contrib/arm/inflate.c
++++ b/contrib/arm/inflate.c
+@@ -84,6 +84,7 @@
+ #include "inftrees.h"
+ #include "inflate.h"
+ #include "inffast.h"
++#include "contrib/arm/chunkcopy.h"
+
+ #ifdef MAKEFIXED
+ # ifndef BUILDFIXED
+@@ -405,10 +406,20 @@ unsigned copy;
+
+ /* if it hasn't been done already, allocate space for the window */
+ if (state->window == Z_NULL) {
++ unsigned wsize = 1U << state->wbits;
+ state->window = (unsigned char FAR *)
+- ZALLOC(strm, 1U << state->wbits,
++ ZALLOC(strm, wsize + CHUNKCOPY_CHUNK_SIZE,
+ sizeof(unsigned char));
+ if (state->window == Z_NULL) return 1;
++#ifdef INFLATE_CLEAR_UNUSED_UNDEFINED
++ /* Copies from the overflow portion of this buffer are undefined and
++ may cause analysis tools to raise a warning if we don't initialize
++ it. However, this undefined data overwrites other undefined data
++ and is subsequently either overwritten or left deliberately
++ undefined at the end of decode; so there's really no point.
++ */
++ memset(state->window + wsize, 0, CHUNKCOPY_CHUNK_SIZE);
++#endif
+ }
+
+ /* if window not in use yet, initialize */
+@@ -1175,17 +1186,16 @@ int flush;
+ else
+ from = state->window + (state->wnext - copy);
+ if (copy > state->length) copy = state->length;
++ if (copy > left) copy = left;
++ put = chunkcopy_safe(put, from, copy, put + left);
+ }
+ else { /* copy from output */
+- from = put - state->offset;
+ copy = state->length;
++ if (copy > left) copy = left;
++ put = chunkcopy_lapped_safe(put, state->offset, copy, put + left);
+ }
+- if (copy > left) copy = left;
+ left -= copy;
+ state->length -= copy;
+- do {
+- *put++ = *from++;
+- } while (--copy);
+ if (state->length == 0) state->mode = LEN;
+ break;
+ case LIT:
diff --git a/package/libs/zlib/patches/003-attach-sourcefiles-in-patch-002-to-buildsystem.patch b/package/libs/zlib/patches/004-attach-sourcefiles-in-patch-002-to-buildsystem.patch
similarity index 100%
rename from package/libs/zlib/patches/003-attach-sourcefiles-in-patch-002-to-buildsystem.patch
rename to package/libs/zlib/patches/004-attach-sourcefiles-in-patch-002-to-buildsystem.patch
diff --git a/package/libs/zlib/patches/004-relative-pkg-config-paths.patch b/package/libs/zlib/patches/005-relative-pkg-config-paths.patch
similarity index 100%
rename from package/libs/zlib/patches/004-relative-pkg-config-paths.patch
rename to package/libs/zlib/patches/005-relative-pkg-config-paths.patch
diff --git a/package/libs/zlib/patches/006-fix-CVE-2022-37434.patch b/package/libs/zlib/patches/006-fix-CVE-2022-37434.patch
new file mode 100644
index 0000000000..dc84d3a1d3
--- /dev/null
+++ b/package/libs/zlib/patches/006-fix-CVE-2022-37434.patch
@@ -0,0 +1,32 @@
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Sat, 30 Jul 2022 15:51:11 -0700
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7be8c6366..7a7289749 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
++ len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+- state->head->extra != Z_NULL) {
+- len = state->head->extra_len - state->length;
++ state->head->extra != Z_NULL &&
++ len < state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
diff --git a/package/libs/zlib/patches/006-fix-compressor-crash-on-certain-inputs.patch b/package/libs/zlib/patches/006-fix-compressor-crash-on-certain-inputs.patch
deleted file mode 100644
index 9f37ba5c58..0000000000
--- a/package/libs/zlib/patches/006-fix-compressor-crash-on-certain-inputs.patch
+++ /dev/null
@@ -1,343 +0,0 @@
-From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001
-From: Mark Adler <madler@alumni.caltech.edu>
-Date: Tue, 17 Apr 2018 22:09:22 -0700
-Subject: [PATCH] Fix a bug that can crash deflate on some input when using
- Z_FIXED.
-
-This bug was reported by Danilo Ramos of Eideticom, Inc. It has
-lain in wait 13 years before being found! The bug was introduced
-in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
-option forces the use of fixed Huffman codes. For rare inputs with
-a large number of distant matches, the pending buffer into which
-the compressed data is written can overwrite the distance symbol
-table which it overlays. That results in corrupted output due to
-invalid distances, and can result in out-of-bound accesses,
-crashing the application.
-
-The fix here combines the distance buffer and literal/length
-buffers into a single symbol buffer. Now three bytes of pending
-buffer space are opened up for each literal or length/distance
-pair consumed, instead of the previous two bytes. This assures
-that the pending buffer cannot overwrite the symbol table, since
-the maximum fixed code compressed length/distance is 31 bits, and
-since there are four bytes of pending space for every three bytes
-of symbol space.
----
- deflate.c | 74 ++++++++++++++++++++++++++++++++++++++++---------------
- deflate.h | 25 +++++++++----------
- trees.c | 50 +++++++++++--------------------------
- 3 files changed, 79 insertions(+), 70 deletions(-)
-
-diff --git a/deflate.c b/deflate.c
-index 425babc00..19cba873a 100644
---- a/deflate.c
-+++ b/deflate.c
-@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
- int wrap = 1;
- static const char my_version[] = ZLIB_VERSION;
-
-- ushf *overlay;
-- /* We overlay pending_buf and d_buf+l_buf. This works since the average
-- * output size for (length,distance) codes is <= 24 bits.
-- */
--
- if (version == Z_NULL || version[0] != my_version[0] ||
- stream_size != sizeof(z_stream)) {
- return Z_VERSION_ERROR;
-@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
-
- s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
-
-- overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
-- s->pending_buf = (uchf *) overlay;
-- s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
-+ /* We overlay pending_buf and sym_buf. This works since the average size
-+ * for length/distance pairs over any compressed block is assured to be 31
-+ * bits or less.
-+ *
-+ * Analysis: The longest fixed codes are a length code of 8 bits plus 5
-+ * extra bits, for lengths 131 to 257. The longest fixed distance codes are
-+ * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
-+ * possible fixed-codes length/distance pair is then 31 bits total.
-+ *
-+ * sym_buf starts one-fourth of the way into pending_buf. So there are
-+ * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
-+ * in sym_buf is three bytes -- two for the distance and one for the
-+ * literal/length. As each symbol is consumed, the pointer to the next
-+ * sym_buf value to read moves forward three bytes. From that symbol, up to
-+ * 31 bits are written to pending_buf. The closest the written pending_buf
-+ * bits gets to the next sym_buf symbol to read is just before the last
-+ * code is written. At that time, 31*(n-2) bits have been written, just
-+ * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
-+ * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
-+ * symbols are written.) The closest the writing gets to what is unread is
-+ * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
-+ * can range from 128 to 32768.
-+ *
-+ * Therefore, at a minimum, there are 142 bits of space between what is
-+ * written and what is read in the overlain buffers, so the symbols cannot
-+ * be overwritten by the compressed data. That space is actually 139 bits,
-+ * due to the three-bit fixed-code block header.
-+ *
-+ * That covers the case where either Z_FIXED is specified, forcing fixed
-+ * codes, or when the use of fixed codes is chosen, because that choice
-+ * results in a smaller compressed block than dynamic codes. That latter
-+ * condition then assures that the above analysis also covers all dynamic
-+ * blocks. A dynamic-code block will only be chosen to be emitted if it has
-+ * fewer bits than a fixed-code block would for the same set of symbols.
-+ * Therefore its average symbol length is assured to be less than 31. So
-+ * the compressed data for a dynamic block also cannot overwrite the
-+ * symbols from which it is being constructed.
-+ */
-+
-+ s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
-+ s->pending_buf_size = (ulg)s->lit_bufsize * 4;
-
- if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
- s->pending_buf == Z_NULL) {
-@@ -340,8 +373,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
- deflateEnd (strm);
- return Z_MEM_ERROR;
- }
-- s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
-- s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
-+ s->sym_buf = s->pending_buf + s->lit_bufsize;
-+ s->sym_end = (s->lit_bufsize - 1) * 3;
-+ /* We avoid equality with lit_bufsize*3 because of wraparound at 64K
-+ * on 16 bit machines and because stored blocks are restricted to
-+ * 64K-1 bytes.
-+ */
-
- s->level = level;
- s->strategy = strategy;
-@@ -552,7 +589,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
-
- if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
- s = strm->state;
-- if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3))
-+ if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
- return Z_BUF_ERROR;
- do {
- put = Buf_size - s->bi_valid;
-@@ -1113,7 +1150,6 @@ int ZEXPORT deflateCopy (dest, source)
- #else
- deflate_state *ds;
- deflate_state *ss;
-- ushf *overlay;
-
-
- if (deflateStateCheck(source) || dest == Z_NULL) {
-@@ -1133,8 +1169,7 @@ int ZEXPORT deflateCopy (dest, source)
- ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
- ds->prev = (Posf *) ZALLOC(dest, ds->w_size, sizeof(Pos));
- ds->head = (Posf *) ZALLOC(dest, ds->hash_size, sizeof(Pos));
-- overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
-- ds->pending_buf = (uchf *) overlay;
-+ ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
-
- if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
- ds->pending_buf == Z_NULL) {
-@@ -1148,8 +1183,7 @@ int ZEXPORT deflateCopy (dest, source)
- zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
-
- ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
-- ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
-- ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
-+ ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
-
- ds->l_desc.dyn_tree = ds->dyn_ltree;
- ds->d_desc.dyn_tree = ds->dyn_dtree;
-@@ -1925,7 +1959,7 @@ local block_state deflate_fast(s, flush)
- FLUSH_BLOCK(s, 1);
- return finish_done;
- }
-- if (s->last_lit)
-+ if (s->sym_next)
- FLUSH_BLOCK(s, 0);
- return block_done;
- }
-@@ -2056,7 +2090,7 @@ local block_state deflate_slow(s, flush)
- FLUSH_BLOCK(s, 1);
- return finish_done;
- }
-- if (s->last_lit)
-+ if (s->sym_next)
- FLUSH_BLOCK(s, 0);
- return block_done;
- }
-@@ -2131,7 +2165,7 @@ local block_state deflate_rle(s, flush)
- FLUSH_BLOCK(s, 1);
- return finish_done;
- }
-- if (s->last_lit)
-+ if (s->sym_next)
- FLUSH_BLOCK(s, 0);
- return block_done;
- }
-@@ -2170,7 +2204,7 @@ local block_state deflate_huff(s, flush)
- FLUSH_BLOCK(s, 1);
- return finish_done;
- }
-- if (s->last_lit)
-+ if (s->sym_next)
- FLUSH_BLOCK(s, 0);
- return block_done;
- }
-diff --git a/deflate.h b/deflate.h
-index 23ecdd312..d4cf1a98b 100644
---- a/deflate.h
-+++ b/deflate.h
-@@ -217,7 +217,7 @@ typedef struct internal_state {
- /* Depth of each subtree used as tie breaker for trees of equal frequency
- */
-
-- uchf *l_buf; /* buffer for literals or lengths */
-+ uchf *sym_buf; /* buffer for distances and literals/lengths */
-
- uInt lit_bufsize;
- /* Size of match buffer for literals/lengths. There are 4 reasons for
-@@ -239,13 +239,8 @@ typedef struct internal_state {
- * - I can't count above 4
- */
-
-- uInt last_lit; /* running index in l_buf */
--
-- ushf *d_buf;
-- /* Buffer for distances. To simplify the code, d_buf and l_buf have
-- * the same number of elements. To use different lengths, an extra flag
-- * array would be necessary.
-- */
-+ uInt sym_next; /* running index in sym_buf */
-+ uInt sym_end; /* symbol table full when sym_next reaches this */
-
- ulg opt_len; /* bit length of current block with optimal trees */
- ulg static_len; /* bit length of current block with static trees */
-@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
-
- # define _tr_tally_lit(s, c, flush) \
- { uch cc = (c); \
-- s->d_buf[s->last_lit] = 0; \
-- s->l_buf[s->last_lit++] = cc; \
-+ s->sym_buf[s->sym_next++] = 0; \
-+ s->sym_buf[s->sym_next++] = 0; \
-+ s->sym_buf[s->sym_next++] = cc; \
- s->dyn_ltree[cc].Freq++; \
-- flush = (s->last_lit == s->lit_bufsize-1); \
-+ flush = (s->sym_next == s->sym_end); \
- }
- # define _tr_tally_dist(s, distance, length, flush) \
- { uch len = (uch)(length); \
- ush dist = (ush)(distance); \
-- s->d_buf[s->last_lit] = dist; \
-- s->l_buf[s->last_lit++] = len; \
-+ s->sym_buf[s->sym_next++] = dist; \
-+ s->sym_buf[s->sym_next++] = dist >> 8; \
-+ s->sym_buf[s->sym_next++] = len; \
- dist--; \
- s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
- s->dyn_dtree[d_code(dist)].Freq++; \
-- flush = (s->last_lit == s->lit_bufsize-1); \
-+ flush = (s->sym_next == s->sym_end); \
- }
- #else
- # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
-diff --git a/trees.c b/trees.c
-index 4f4a65011..decaeb7c3 100644
---- a/trees.c
-+++ b/trees.c
-@@ -416,7 +416,7 @@ local void init_block(s)
-
- s->dyn_ltree[END_BLOCK].Freq = 1;
- s->opt_len = s->static_len = 0L;
-- s->last_lit = s->matches = 0;
-+ s->sym_next = s->matches = 0;
- }
-
- #define SMALLEST 1
-@@ -948,7 +948,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
-
- Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
- opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
-- s->last_lit));
-+ s->sym_next / 3));
-
- if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
-
-@@ -1017,8 +1017,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
- unsigned dist; /* distance of matched string */
- unsigned lc; /* match length-MIN_MATCH or unmatched char (if dist==0) */
- {
-- s->d_buf[s->last_lit] = (ush)dist;
-- s->l_buf[s->last_lit++] = (uch)lc;
-+ s->sym_buf[s->sym_next++] = dist;
-+ s->sym_buf[s->sym_next++] = dist >> 8;
-+ s->sym_buf[s->sym_next++] = lc;
- if (dist == 0) {
- /* lc is the unmatched char */
- s->dyn_ltree[lc].Freq++;
-@@ -1033,30 +1034,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
- s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
- s->dyn_dtree[d_code(dist)].Freq++;
- }
--
--#ifdef TRUNCATE_BLOCK
-- /* Try to guess if it is profitable to stop the current block here */
-- if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
-- /* Compute an upper bound for the compressed length */
-- ulg out_length = (ulg)s->last_lit*8L;
-- ulg in_length = (ulg)((long)s->strstart - s->block_start);
-- int dcode;
-- for (dcode = 0; dcode < D_CODES; dcode++) {
-- out_length += (ulg)s->dyn_dtree[dcode].Freq *
-- (5L+extra_dbits[dcode]);
-- }
-- out_length >>= 3;
-- Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
-- s->last_lit, in_length, out_length,
-- 100L - out_length*100L/in_length));
-- if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
-- }
--#endif
-- return (s->last_lit == s->lit_bufsize-1);
-- /* We avoid equality with lit_bufsize because of wraparound at 64K
-- * on 16 bit machines and because stored blocks are restricted to
-- * 64K-1 bytes.
-- */
-+ return (s->sym_next == s->sym_end);
- }
-
- /* ===========================================================================
-@@ -1069,13 +1047,14 @@ local void compress_block(s, ltree, dtree)
- {
- unsigned dist; /* distance of matched string */
- int lc; /* match length or unmatched char (if dist == 0) */
-- unsigned lx = 0; /* running index in l_buf */
-+ unsigned sx = 0; /* running index in sym_buf */
- unsigned code; /* the code to send */
- int extra; /* number of extra bits to send */
-
-- if (s->last_lit != 0) do {
-- dist = s->d_buf[lx];
-- lc = s->l_buf[lx++];
-+ if (s->sym_next != 0) do {
-+ dist = s->sym_buf[sx++] & 0xff;
-+ dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
-+ lc = s->sym_buf[sx++];
- if (dist == 0) {
- send_code(s, lc, ltree); /* send a literal byte */
- Tracecv(isgraph(lc), (stderr," '%c' ", lc));
-@@ -1100,11 +1079,10 @@ local void compress_block(s, ltree, dtree)
- }
- } /* literal or match pair ? */
-
-- /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
-- Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
-- "pendingBuf overflow");
-+ /* Check that the overlay between pending_buf and sym_buf is ok: */
-+ Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
-
-- } while (lx < s->last_lit);
-+ } while (sx < s->sym_next);
-
- send_code(s, END_BLOCK, ltree);
- }
diff --git a/package/libs/zlib/patches/007-fix-null-dereference-in-fix-CVE-2022-37434.patch b/package/libs/zlib/patches/007-fix-null-dereference-in-fix-CVE-2022-37434.patch
new file mode 100644
index 0000000000..c5c95a92b2
--- /dev/null
+++ b/package/libs/zlib/patches/007-fix-null-dereference-in-fix-CVE-2022-37434.patch
@@ -0,0 +1,29 @@
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a7289749..2a3c4fe98 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
+- len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+ state->head->extra != Z_NULL &&
+- len < state->head->extra_max) {
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
--
2.34.1
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment